LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-28-2017, 07:05 PM   #1
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Rep: Reputation: 174Reputation: 174
VPN vs. firewall question


I though this was a simple question. But then I asked a friend who teaches Linux and networking classes at a local community college and after some drawing of diagrams on the white board and scratching of heads... Perhaps it is not so simple a question.

I recently received a new DSL modem/router box from my ISP. While poking around the settings I found some rather detailed firewall settings. I set the security setting to high and then disabled a bunch of other services which I did not recognize or which I did not like the sound of (e.g. Microsoft something or Game something). Rather neat I thought. But then I realized that as I connect via a VPN using Openvpn on a CentOS 7.4 "gateway" box which shares the VPN to the other computers on my LAN... I am tunneling right through all of the neat blocks in the Router firewall. Which brings up the question...

Simple case:

I have a Linux PC with its built in firewall "properly" configured to stop the traffic I do not want (a subject for another post).

I connect the PC to my VPN provider's server in somewhereville using Openvpn with the .ovpn file provided by the VPN company.

Is the VPN traffic filtered by the firewall on the PC?

Actual configuration case:

My "gateway" computer has one NIC connected to the router and receives IP address 192.168.0.xxx from the router's DHCP.

The second NIC is configured by the network manager gui as "Shared to other computers." It receives an IP address of 10.42.0.1. I do not know from where - just some network manager magic. So I decided to run with that subnet.

The "gateway" computer also runs DHCP and assigns addresses in 10.42.0.xxx to the PCs on my LAN. Works great.

The VPN connection is made on the "gateway" computer - again using openvpn.

The real question is... On which side of the gateway's firewall does the VPN tunnel dump its traffic? Is the firewall protecting the gateway computer and the PCs on the LAN?

I activate the VPN thus:
Code:
sudo openvpn --config ~/bin/atl-a06.ovpn --auth-user-pass ~/bin/pw
wher the .ovpn file contains (slightly edited for confidentiality reasons)
Code:
[ken@taylor16 bin]$ cat atl-a06.ovpn 
client
dev tun
proto udp
remote 111.222.333.444 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
#ca vpn.crt

tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 3

auth SHA256
cipher AES-256-CBC

<ca>
-----BEGIN CERTIFICATE-----
MIIESDCCAzCgAwIBAgIJAKSqvk2CSdJGMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
...
defHWGj1eucVyy9fxKMcX89gjstQZDmsINNtG1C78/+nYS65rqaBaq+rqpA=
-----END CERTIFICATE-----
</ca>
script-security 2
up /etc/openvpn/usnserver_on.sh
down /etc/openvpn/usnserver_off.sh
The up and down scripts change the /etc/resolv.conf file on the "gateway" computer to point to the VPN DNS server when the VPN is connected or the ISP DNS server when the VPN is disconnected. No DNS leaks here

TIA,

Ken

p.s. I guess I should have stated "network-manager-applet" rather than network manager.

Last edited by taylorkh; 09-28-2017 at 07:10 PM.
 
Old 09-29-2017, 05:47 AM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 15,988

Rep: Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273
Why not specifically block the vpn in the firewall and see what you get in the way of internet traffic? If internet traffic dies, your firewall is filtering the internet. If internet traffic continues, your firewall is being bypassed.

The guy did diagrams and stuff because that's what guys do when you ask them a network question. You know what you're talking about but they don't.
 
1 members found this post helpful.
Old 09-29-2017, 08:13 AM   #3
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thanks business_kid,

I like your approach. When I took the dog for a walk this morning I was thinking about test scenarios I I could setup. I hand not thought of just jamming a wrench in the machine and see what happens. I will work on that an report back.

Thanks again,

Ken
 
Old 09-29-2017, 09:31 AM   #4
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
This does not seem as simple as it might be. And I am new to using the Firewall Configuration gui. As best I can tell I have:

Connections:
plp2 (the incoming Ethernet from my router)
tun0 (my VPN connection)

both have the Default Zone: public

Interfaces
enp0s20u4u1 (the second NIC which is Shared to other computers)

Zone: public

If I examine the zone "public" I see the following services checked:

dhcpv6-client
nfs
ssh
vnc-server

The Interfaces tab for Zone "public" shows the two NICs but not tun0

As openvpn is NOT checked in the Services for zone" public I am not sure how I am connecting to the Internet. If I access an IP address detection page I see an address which correctly corresponds to the VPN provider's server.

I still have much to learn/figure out.

Ken
 
Old 09-29-2017, 04:35 PM   #5
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,754

Rep: Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137
By default encrypted openVPN tunnel traffic will be arriving on port 1194, so in that sense if the client firewall does not block the configured port then VPN traffic is passing through.

You could observe the traffic arrving at plp2 via the encrypted tunnel with tcpdump (assuming the default port 1194 is in use) eg
Code:
tcpdump -i plp2 udp port 1194
The openVPN client unencrypts the traffic and can be observed using
Code:
tcpdump -i tun0
This might be of interest to you...
https://www.bestvpn.com/how-to-hide-...-introduction/


Quote:
The second NIC is configured by the network manager gui as "Shared to other computers." It receives an IP address of 10.42.0.1. I do not know from where - just some network manager magic. So I decided to run with that subnet.
This is the default subnet used by NM with connection sharing is in use. Read 'man nm-settings' for more info...
Quote:
For IPv4 method "shared", the IP subnet can be configured by adding one manual IPv4 address or otherwise 10.42.x.0/24 is chosen.
 
1 members found this post helpful.
Old 09-30-2017, 05:23 AM   #6
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 15,988

Rep: Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273
In addition to ferrari's wise comments, the output of 'route' should throw up the main network routes and show you what's going on.
 
1 members found this post helpful.
Old 09-30-2017, 07:34 PM   #7
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thanks for the replies. However, I think I am still at the HIGH level of trying to figure out IF something is happening, not what, when or how. That will come.

On my DSL modem/router box I BLOCKED all traffic on port 80 tcp. This of course is non-encrypted http traffic. I then attempted to access the web site of a local TV station - which does not use https - from a PC on my LAN. The connection failed. I then fired up the VPN on my "gateway" Internet sharing PC. The unencrypted web site was now available - as I expected as the VPN tunneled though the modem/router and connected to the TV web site from a server at the other end of the tunnel.

I am trying to do the same test by changing the firewall on the gateway PC. As it is running CentOS 7.4 which uses firewalld... I am at a bit of a loss. I have read that on firewalld:

All zones (except the drop zone - substitute drop for reject)

"Reject incoming traffic unless related to outgoing traffic or matching [a specific list of services per the zone in question]"

The http service (port 80 tcp) is NOT enabled in the public zone (which is the default and is where my 2 interfaces live - 3 when the VPN is running). The textbook firewalld/firewall-cmd exercise is to enable web traffic to the ubiquitous web server on the textbook server by adding http service to the appropriate zone.

However, I have not figured out how to STOP all http traffic. If I send a request to a web site the http data on port 80 is assumed to be OK and is let through -if I understand correctly.

Is there a simple way to block port 80 in firewalld?

Thanks,

Ken

Last edited by taylorkh; 09-30-2017 at 07:35 PM.
 
Old 09-30-2017, 10:17 PM   #8
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,754

Rep: Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137
Quote:
However, I have not figured out how to STOP all http traffic. If I send a request to a web site the http data on port 80 is assumed to be OK and is let through -if I understand correctly.
Yes, I think in general the firewall is configured to allow ESTABLISHED and RELATED traffic (so that browsing is permitted for example).

Quote:
Is there a simple way to block port 80 in firewalld?
I'm no firewall guru, but you could prevent outgoing http traffic with destination port 80...

Code:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j DROP
*You could test the rule without the '--permanent' option first

A basic firewalld guide:
https://www.linode.com/docs/security...alld-on-centos
 
1 members found this post helpful.
Old 09-30-2017, 11:51 PM   #9
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,754

Rep: Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137
...and of course similarly for ipv6....
Code:
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j DROP
 
1 members found this post helpful.
Old 10-01-2017, 11:56 AM   #10
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thank you ferrari,

That did the trick perfectly! I added the Ipv4 rule without the --permanent. Access to the non-https web site was blocked. I was able to access an https web site. I removed the rule and was again able to access the non-https web site. I then connected to the VPN and added/removed the rule. The results were identical. This tells me that the VPN connection obeys the constraints of the firewall.

For my next trick I added the rule and attempted to access the non-https site from a PC connected to the "Shared to other computers" interface. I WAS able to connect. Bummer. I had expected the connection to be blocked. I then clone the rule using INPUT instead of OUTPUT and added it as well. I can still access the test site from the connected PC.

But it gets stranger still. I added the rules, verified I could not access the test site from the machine on which I am playing with the firewall and then did a firewall-cmd --reload. I had NOT saved the rules permenently so this should have cleared them from the firewall (as I understand). But it did not. I even tried --complete-reload. STILL did not clear the rules. I am unable to access the test site unless I MANUALLY remove the rules???

I am making progress but not as much as I had hoped.

Thanks again,

Ken
 
Old 10-01-2017, 05:55 PM   #11
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,754

Rep: Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137
I'm not familiar with using firewalld at all, but for your requirements it might be best to create a custom zone for enp0s20u4u1 and drop all traffic that is not specifically allowed.

This guide will show you how to achieve that
https://crosp.net/blog/administratio...alld-centos-7/

In the example given, they create 'customzone' to allow HTTP, HTTPS and SSH traffic, but you could adjust /etc/firewalld/zones/customzone.xml to make it more restrictive so that only HTTPS traffic is permitted.
 
1 members found this post helpful.
Old 10-01-2017, 05:58 PM   #12
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,754

Rep: Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137
BTW, don't forget to add the interface to the zone when done....
Code:
firewall-cmd --permanent --zone=customzone --add-interface=enp0s20u4u1
 
1 members found this post helpful.
Old 10-01-2017, 07:34 PM   #13
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thanks again ferrari,

I think I need to turn my monitor upside down and stand on my head. That way my brain will be rotating as if I was in the Southern hemisphere. Perhaps then I could sort this out

My first experience with a "firewall" was in Windoze. A program called Black Ice Defender. I could allow "stuff" through or not. I recall that I had just gotten Samba to work on my "file and printer" server (Red Hat 7.x or 8 I think). I was connected to the Linux box from my Win NT machine and was playing a video clip from the server. All the sudden it stopped. After a couple of weeks of messing with it, new version of Samba, reinstalled the whole server etc. I was about to give up. While I was working on something else the Black Ice program decided to do an upgrade. As part of this process it shut it self down. All of the sudden my Samba server appeared! When Black Ice restarted the Samba server went away. It turned out that the program decided to protect the PC against other PCs in it's own Workgroup and thus zapped the Samba server. I told it to trust the local PCs and all was well.

That said, I have a long held concept that a firewall should/could stop traffic on certain ports BOTH WAYS. My new DSL modem/router has more than 50 services and ports which can be blocked in one or both directions. And now that I am looking at firewalld...

The underlying philosophy seems to be:

- All incoming traffic is blocked unless specifically permitted (I like that) unless...
- The traffic is related to a connection initiated from behind the firewall (I am not too sure about that).

If this is appropriate then firewall management is REALLY SIMPLE. But is it?

If I allow traffic IN to my proverbial web server and some malware comes in on that connection...
If the malware escapes the constraints of SELinux et. al. and runs amok it could potentially initiate outbound connections via telnet, ftp and various other insecure protocols which I might never expect to be used and which could cause more damage than just the original web connection. Should the firewall let nothing OUT except what is permitted? I don't know.

The example you point to will, I think, allow just the 3 protocols INCOMING. If I deleted the http line it would prevent connection to MY web server by that means.

As to the --direct rule which you recommended earlier... I wonder which zone(s) it applies to? My incoming (from the Internet side), shared (to my other test PC) and a mystery virbr0 connection
Code:
virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 52:54:00:49:12:8e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
all live in the default (public) zone. As I related earlier the rule blocked access to an http web site on the sharing PC but not on a PC attached to the shared connection.

I have pulled some ifconfig and route data from both PCs. I will print it out and with the aid of some colored pens I will draw circles and arrows and see what I can map out.

Kind regards,

Ken
 
Old 10-01-2017, 09:36 PM   #14
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,754

Rep: Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137
Quote:
The underlying philosophy seems to be:

- All incoming traffic is blocked unless specifically permitted (I like that) unless...
- The traffic is related to a connection initiated from behind the firewall (I am not too sure about that).
That is the usual (general) Linux firewall strategy yes.

Quote:
As to the --direct rule which you recommended earlier... I wonder which zone(s) it applies to?
The external interface (public zone) AFAIU.

Last edited by ferrari; 10-01-2017 at 09:37 PM.
 
1 members found this post helpful.
Old 10-03-2017, 07:04 PM   #15
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Hello again ferrari,

I have played with this some more but have still not figured out what is going on. Proceeding with the understanding that ONLY traffic initiated from behind the firewall or traffic specifically permitted within a zone...

Plan B:

From PC to PC on my LAN I need SSH, nfs and VNC connections only (as best I can tell). I will put the shared connection on the gateway PC in a zone which allows these services (probably less nfs which is not running on the gateway). I will set up similar firewalls on each PC on the LAN. I will move the Internet side connection to a more restricted zone on the gateway. How to test??? While taking my dog for our evening walk the answer came to me. ShieldsUP! by Gibson Research https://www.grc.com It is a rather thorough port testing tool. I will use it as my benchmark as I move things around.

Plan C:

I have Untangle installed on a test PC. It is in the process of being configured. Probably overkill but it is supposed to handle VPN connections as well as firewall and monitoring functions. I will let you know what happens next.

Ken
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with a vpn firewall JosephS Linux - Security 2 05-15-2015 12:40 PM
firewall for vpn pinguim007 Linux - Networking 1 06-17-2011 08:16 AM
VPN through sonicwall firewall envirodug Linux - Networking 4 06-17-2005 12:43 PM
Simple firewall and VPN question qennster Linux - Networking 4 05-09-2005 12:34 AM
Firewall and VPN server pilipk01 Linux - Security 2 08-26-2004 09:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration